Monday, December 27, 2010

7 Practical uses of Openssl

In a previous article we saw the basics of encryption and asymmetric key used in the e-mail. On Linux the most used and popular programthat deals with security and encryption is OpenSSL .

OpenSSL is an open source implementation of the SSL and TLS protocols. The core library (written in the C programming language) implements the basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.

Versions are available for most Unix-like operating systems (including Solaris, Linux, Mac OS X and the four open source BSD operating systems), OpenVMS and Microsoft Windows. IBM provides a port for the System i (OS/400). OpenSSL is based on SSLeay by Eric A. Young and Tim Hudson, development of which unofficially ended around December 1998, when Young and Hudson both started to work for RSA Security.

Today we will see some practical uses of programs that rely on OpenSSL.

A fundamental use of OpenSSL is to create your own Certification Authority (CA) with which you can generate certificates to be used later in other programs. Since this is a long topic it’s not discussed in this article, where we will use the simplest and least common of the OpenSSL programs.

Connect to a https service

Sometimes is useful to have the equivalent of a “telnet myservice 80 “, but with sites in https a telnet don’t work so you need an openssl command:

openssl s_client -connect host:443 -state -debug
GET / HTTP/1.0

You’ll get a very long output, but you’ll be able to do some test/debug also on the encrypted http.

Generate random numbers or strings

To generate random strings you can use the openssl rand; to generate a random integer you can use:

root@laptop:~# echo $(openssl rand 4 | od -DAn)
1173091498

While if you want to generate a base64 string (perhaps to get a random password)

root@laptop:~# openssl rand -base64 6
Cki3awd4

Verify an online certificate from the command line

Not always the most advanced clients are also the more comfortable to see a certificate with this command you can verify a certificate from an https site or maybe a ldaps:

Extract information from a certificate

An SSL certificate contains a wide range of information: issuer, valid dates, subject, and some hardcore crypto stuff. The x509 subcommand is the entry point for retrieving this information.The examples below all assume that the certificate you want to examine is stored in a file named cert.pem.

Benchmark remote connections

The s_time option lets you test connection performance. The most simple invocation will run for 30 seconds, use any cipher, and use SSL handshaking to determine number of connections per second, using both new and reused sessions:

openssl s_time -connect remote.host:443

Beyond that most simple invocation, s_time gives you a wide variety of testing options.